|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68226 FULLY UNABLE TO USE LOAD DATA LOCAL Startement IN Web Production Enviroments
Submitted: 2014-10-14 10:57 UTC Modified: 2020-06-04 08:54 UTC
Avg. Score:4.5 ± 0.8
Reproduced:20 of 20 (100.0%)
Same Version:8 (40.0%)
Same OS:8 (40.0%)
From: georgy dot garnov at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: PDO MySQL
PHP Version: 5.6.1 OS: ALL
Private report: No CVE-ID: None
 [2014-10-14 10:57 UTC] georgy dot garnov at gmail dot com
If you set open_basedir in your php.ini or use php as fcgi you will always got "The used command is not allowed with this MySQL version" error.
You can use new PDO($dsn,$login,$password, array(PDO::MYSQL_ATTR_LOCAL_INFILE => true)) but you will have no effect.
So you are fully unable to use LOAD DATA LOCAL INFILE.
That's because of \ext\pdo_mysql\mysql_driver.c
LINES 626 to 633
#if PHP_API_VERSION < 20100412
		if ((PG(open_basedir) && PG(open_basedir)[0] != '\0') || PG(safe_mode))
		if (PG(open_basedir) && PG(open_basedir)[0] != '\0') 
			local_infile = 0;
as you can see, you will always fail in production enviroments
no check if loaded file inside base dir just fail.
That's bad!!


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-10-14 15:20 UTC]
-Assigned To: +Assigned To: mysql
 [2014-10-14 15:20 UTC]
With libmysql we can't check the path. As soon as the feature is enabled the server can request any file it likes (Client sends SQL to server, the server parses it and requests the file, the client doesn't know SQL) therefore on PHP versions using libmysql we can't check the path.

With mysqlnd this is different, there we can check the path. Andrey do you have any thoughts on this? Any issues if we make this check less strict?

Security-wise "interesting" might be if a malicious server requests php://input or such.
 [2015-02-03 20:14 UTC] phpbugs2012 at joern dot heissler dot de
See also related
 [2017-10-24 08:12 UTC]
-Status: Assigned +Status: Open -Assigned To: mysql +Assigned To:
 [2020-06-04 08:54 UTC]
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-06-04 08:54 UTC]
Closing this ticket as duplicate of bug #68077.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 21 13:01:27 2024 UTC